Protocol-independent settings
Allow ICMP errors from the destination to the source
– ICMP error messages are sent
in several situations: for example, when an IP packet cannot reach its destination. The
purpose of these error control messages is to provide feedback about problems in the
communication environment.
However, ICMP error messages and firewalls are usually not a very good combination; the
ICMP error messages are initiated at the destination host (or a device within the path to the
destination) and sent to the originating host. The result is that the ICMP error message will be
interpreted by the firewall as a new connection and dropped, if not explicitly allowed by the
firewall rule-set. Now, allowing any inbound ICMP message to be able have those error
messages forwarded is generally not a good idea.
To solve this problem, DFL-200 can be instructed to pass an ICMP error message only if it
is related to an existing connection. Check this option to enable this feature for connections
using this service.
ALG
– Like other stateful inspection based firewalls, DFL-200 filters on information found
in packet headers, for instance in IP, TCP, UDP and ICMP headers.
In some situations though, filtering on header data only is not sufficient. The FTP protocol,
for instance, includes IP address and port information in the protocol payload. In these cases,
the firewall needs to be able to examine the payload data and carry out appropriate actions.
DFL-200 provides this functionality using Application Layer Gateways, also known as ALGs.
To use an Application Layer Gateway, the appropriate Application Layer Gateway
definition is selected in the dropdown menu. The selected Application Layer Gateway will thus
manage network traffic that matches the policy using this service.
Currently, DFL-200 supports two Application Layer Gateways, one is used to manage the
FTP protocol and the other one is a HTTP Content Filtering ALG. For detailed information
about how to configure the HTTP Application Layer Gateway, please see the Content Filtering
chapter.